Sectigo’s new IoT platform now seamlessly hardens devices with embedded
tools and a secure boot

Sectigo (formerly Comodo CA) has acquired Icon Labs, a security
company specializing in IoT security solutions. The acquisition was announced
yesterday via press release and on its blog.

The move is consistent with a larger trend – Certificate Authorities
beginning to provide PKI-based IoT security solutions to manufacturers. And
quite frankly, this is a much-needed reaction to the glaring lack of security
that has traditionally plagued IoT devices.

Perhaps unsurprisingly in our haste to connect every
conceivable device to the internet – security took a back seat. And now it
turns out that all those unsecured household and industrial devices are a
perfect addition to botnets and can be harnessed to do evil. Or, just made to
mine cryptocurrency.

Regardless, IoT security has never been more important than
it is in 2019. So, today we’re going to talk about what exactly it is that PKI
is securing with regard to the IoT and we’ll discuss why Sectigo’s acquisition
of Icon Labs bodes well for the future

Let’s hash it out.

Sectigo Expands its IoT Security Platform

For customers of both Sectigo and Icon Labs this move will
add a slew of additional security features to the services you were already enjoying.
Icon Labs customers will now have access to “purpose-built IoT issuance” from
the world’s leading CA. Sectigo IoT customers will now be able to further
harden their devices with embedded tools and a multi-stage secure boot.

“Icon Labs has been
growing and addressing this challenge by securing the device market for more
than two decades. For the first time, embedded security technology is combined
with device authentication and identity management to provide customers with a
complete IoT security platform that solves many of the challenges presented by
the rising number of threats,” said Bill Holtz,
CEO, Sectigo.

The acquisition makes Sectigo the first CA to offer
end-to-end security for IoT devices – from manufacture through the end of its
lifecycle. Now customers will be able to secure the device itself as opposed to
just securing network perimeters.

Secure Remote Updates and Alerts – Firmware and
software updates are further secured, offering authentication, integrity checks
and the ability to issue alerts in the event that an update fails.

On-premise CA – In addition to a Sectigo cloud-based
CA, you can now leverage and on-site CA to perform critical functions like
issuance, registration renewals/revocations.

“By joining Sectigo, Icon
Labs is contributing to a powerful advancement in connected device security. We
are securing IoT devices and the convergence of traditional IT systems and
Operational Technology (OT); that is, the hardware and software that detects or
causes changes in physical processes through direct monitoring and/or control
of physical devices,” said Alan Grau, Founder of Icon Labs.

What exactly are we securing with IoT devices?

Sectigo’s IoT Security platform is now capable of securing
just about every attack vector facing IoT devices, from attacks that occur
while the device is booting, to attacks that may occur while the device is
connected to a network, to attacks that occur during the update cycle.

“Icon Labs adds an
important set of products and core competencies to the Sectigo technology
suite. Sectigo will continue to provide existing Icon Labs customers with the
full set of offerings they’re accustomed to. Additionally, we are proud to make
the acquired technology products available to the full set of Sectigo
enterprise customers for their device security needs,” writes Sectigo
Senior Fellow, Tim Callan.

Icon Labs’ ability to harden devices by securing all stages
of the boot process and embedding tools like firewalls shuts down attack vectors
that Sectigo previously couldn’t address. And vice versa.

So, how does PKI better secure the IoT?

For starters, it provides a much-needed mechanism for
authentication. We rarely talk about SSL/TLS client certificates, the ones that
individual users can use to authenticate themselves. That’s because from a
retail perspective there’s not much of a use for client certificates. It’s just
an added layer of complexity.

But at the corporate level, especially with organizations
that allow employees to bring their own devices, it’s important to be able to
authenticate the device and possibly even its is user. The business sector isn’t
really the one pushing the IoT numbers up to an estimated 75-billion by 2025
though. That’s largely on account of the industrial sector where OEMs or
Original Equipment Manufacturers make connected components that go into larger
systems and machines. A mistake in the business sector could lead to a breach
or some kind of financial harm but there are rarely physical stakes. Not so
with industrial components. Over the past few years we’ve seen a couple of
attempts to attack a Saudi chemical company, which would have resulted in loss
of life were it not for a failsafe that shut down the whole plant. Power grids
in the Ukraine have been attacked. And then, of course, there was the Stuxnet
virus that overloaded Iranian nuclear centrifuges.

IoT devices have become a major target and authentication is
a great way to help avoid compromise.

But authentication is far from the only thing PKI can do to
secure the IoT. That’s because client and server certificates aren’t the only
kind of PKI certificate. You can also use Code Signing certificates to better
secure updates and patches. By digitally signing your updates before pushing
them to the connected devices they’re intended for, it allows the device to
verify the integrity and legitimacy of the code. This prevents anyone from
pushing an unsanctioned update, even if they manage to compromise the update server.

Finally, there’s the simple issue of encrypting any data
that’s transmitted via TLS. In many contexts the information being shared by
this device is highly sensitive, so transmitting it insecurely invites
disaster. Ensuring that every device has a certificate and can connect securely
effectively encrypts all data while its in transit and prevents
Man-in-the-Middle attacks and just eavesdropping, in general.

And, as we covered, with Icon Labs’ technology now undergirding its IoT Security Platform, Sectigo can further secure connected devices with embedded tools and improved boot security. Toss in the inclusion of its recent Zero-Touch deployment feature and Sectigo is really starting 2019 off with a bang.

Be the first to comment

Author

Hashed Out's Editor-in-Chief started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. He also designs the visuals for Hashed Out and serves as the Content Manager for The SSL Store™.